fix: stabilize Chainsaw tests and add govulncheck to CI gate #185
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| workflow_dispatch: {} | |
| schedule: | |
| - cron: "0 6 * * 1" # Weekly Monday 6am UTC | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: security-${{ github.ref }} | |
| cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} | |
| jobs: | |
| codeql: | |
| name: CodeQL | |
| permissions: | |
| contents: read | |
| security-events: write | |
| runs-on: ${{ vars.RUNNER || 'ubuntu-latest' }} | |
| timeout-minutes: 15 | |
| steps: | |
| - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 | |
| with: | |
| languages: go, actions | |
| - uses: github/codeql-action/autobuild@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 | |
| - uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 | |
| with: | |
| upload: always | |
| govulncheck: | |
| name: Govulncheck | |
| runs-on: ${{ vars.RUNNER || 'ubuntu-latest' }} | |
| timeout-minutes: 10 | |
| steps: | |
| - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 | |
| with: | |
| go-version: "1.26" | |
| cache: true | |
| - name: Run govulncheck | |
| shell: bash -Eeuo pipefail -x {0} | |
| run: | | |
| go install golang.org/x/vuln/cmd/govulncheck@v1.3.0 | |
| govulncheck ./... | |
| trivy: | |
| name: Trivy | |
| runs-on: ${{ vars.RUNNER || 'ubuntu-latest' }} | |
| timeout-minutes: 10 | |
| steps: | |
| - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - uses: ./.github/actions/setup-clean-docker-config | |
| - name: Trivy filesystem scan | |
| uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 | |
| with: | |
| scan-type: fs | |
| scan-ref: . | |
| scanners: vuln | |
| severity: HIGH,CRITICAL | |
| exit-code: 1 | |
| ignore-unfixed: true | |
| trivy-image: | |
| name: Trivy Image Scan | |
| runs-on: ${{ vars.RUNNER || 'ubuntu-latest' }} | |
| timeout-minutes: 15 | |
| steps: | |
| - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 | |
| with: | |
| go-version: "1.26" | |
| cache: true | |
| - uses: ./.github/actions/setup-clean-docker-config | |
| - name: Build image for scanning | |
| shell: bash -Eeuo pipefail -x {0} | |
| run: | | |
| scan_tar="${RUNNER_TEMP:-/tmp}/attune-scan-${GITHUB_RUN_ID}-${GITHUB_JOB}.tar" | |
| # The Dockerfile uses FROM --platform=$BUILDPLATFORM which requires | |
| # BuildKit (buildx). Ensure buildx is usable, then build. | |
| # The Dockerfile uses --platform=$BUILDPLATFORM which requires BuildKit. | |
| # When buildx is available, use it directly. Otherwise, strip the | |
| # --platform directives (only needed for cross-compilation) and build | |
| # natively with the legacy builder. | |
| if docker buildx version &>/dev/null; then | |
| # Use --load (loads into local daemon) then docker save, | |
| # because --output type=docker is not supported by the | |
| # default docker driver on GitHub-hosted runners. | |
| docker buildx build --load -t attune:scan . | |
| docker save attune:scan -o "$scan_tar" | |
| else | |
| # Strip BuildKit-only features for a legacy-builder native build: | |
| # --platform=$VAR from FROM, --mount=type=cache,... from RUN, | |
| # and the # syntax= directive. | |
| sed -e 's/--platform=[^[:space:]]*//' -e '/^# syntax=/d' Dockerfile \ | |
| | awk '/^RUN --mount/ { printf "RUN "; next } /^[[:space:]]+--mount/ { next } { print }' \ | |
| > "${RUNNER_TEMP}/Dockerfile.scan" | |
| docker build -f "${RUNNER_TEMP}/Dockerfile.scan" -t attune:scan . | |
| docker save attune:scan -o "$scan_tar" | |
| fi | |
| - name: Trivy image scan | |
| uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 | |
| with: | |
| input: ${{ runner.temp }}/attune-scan-${{ github.run_id }}-${{ github.job }}.tar | |
| severity: HIGH,CRITICAL | |
| exit-code: 1 | |
| ignore-unfixed: true | |
| - name: Cleanup scan artifacts | |
| if: always() | |
| shell: bash -Eeuo pipefail {0} | |
| run: rm -f "${RUNNER_TEMP:-/tmp}/attune-scan-${GITHUB_RUN_ID}-${GITHUB_JOB}.tar" | |
| gitleaks: | |
| name: Gitleaks | |
| runs-on: ${{ vars.RUNNER || 'ubuntu-latest' }} | |
| timeout-minutes: 10 | |
| steps: | |
| - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install gitleaks | |
| shell: bash -Eeuo pipefail -x {0} | |
| run: | | |
| export PATH="$HOME/.local/bin:$PATH" | |
| VER="8.30.1" | |
| # Verify the cached binary actually runs (catches arch mismatch) | |
| if command -v gitleaks &>/dev/null && gitleaks version &>/dev/null; then | |
| echo "gitleaks already installed: $(gitleaks version)" | |
| else | |
| mkdir -p "$HOME/.local/bin" | |
| OS="$(uname -s | tr '[:upper:]' '[:lower:]')" | |
| ARCH="$(uname -m)" | |
| case "$ARCH" in | |
| x86_64) ARCH="x64" ;; | |
| aarch64|arm64) ARCH="arm64" ;; | |
| esac | |
| curl -sfL "https://github.com/gitleaks/gitleaks/releases/download/v${VER}/gitleaks_${VER}_${OS}_${ARCH}.tar.gz" \ | |
| | tar xz -C "$HOME/.local/bin" gitleaks | |
| fi | |
| - name: Detect secrets | |
| shell: bash -Eeuo pipefail -x {0} | |
| run: | | |
| export PATH="$HOME/.local/bin:$PATH" | |
| gitleaks detect --source . --exit-code 1 | |
| dependency-review: | |
| name: Dependency Review | |
| runs-on: ${{ vars.RUNNER || 'ubuntu-latest' }} | |
| timeout-minutes: 10 | |
| if: github.event_name == 'pull_request' | |
| steps: | |
| - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0 | |
| with: | |
| fail-on-severity: high |